[OpenID] Thinking About OpenID.com

Peter Williams pwilliams at rapattoni.com
Sun Mar 23 21:38:53 UTC 2008 



From: Eddy Nigg (StartCom Ltd.)
Sent: Thu 3/20/2008 10:19 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] Thinking About OpenID.com


+1


-- 

Regards 

Signer: Eddy Nigg, StartCom Ltd.
Jabber: xmpp:startcom at startcom.org
Blog: Join the Revolution!
Phone: +1.213.341.0390


   



Eddy:

The more I look at it, OpenID2 does have a federation model. It simply takes the form of a OOB assurance/equivalence graph connecting the authorities choosing to recognise each others naming contexts, in the XRI directory.To build n reputation services, n assurance authorities (including #you, #me, and #him) simply publish their particular list of equivalences at some newly-defined SEP. Today, this list coudl easily feed into one's local system's XACML standard PEP/PDP evaulation logic, as a set of "environmental" attributes.

This is almost identical to the DEC/CCITT model, used in the X500 era. (The DEC name server was in NCSC A1 evaluation, until the eval was pulled. The A1 assurance claims were supported by the formal model of Lampson, Burrows, Abadi & co, expressed in a custom modal logic for authentication handoffs between naming authorities.) To publish your own assurance statement, you put a list of cross-certs in your personal "directory" entry (aka contact references page, in XRI land)! 

I feel pretty confortable with the above, since I understand it - and there is solid academic review and pedigree for the references. It is is all mostly out of US patent controls, too; bar a few continuations. Its rather more complex tho than a simple  file that signs a set of signed metadata files (1 per spoke in the InCommon model), or a Windows CTL (sign a list of signed X.509 certs/roots, IIS6).

Its interesting to see all this make a come back, in a new "web-model" embodiment. I think Im going to spend the afternoon playing with the open source server, providing the name/authority resolution service. Be fun to see how the handling of knowledge management between all the naming contexts differs from what folks were doing the Internet X.500 experiment, ~20 years ago, now.

Some enterprising Semweb type doing research ould be well served to (a) implement the XRI query parser, and (b) implement the Lampson logic using the SPARQL expression-extension conventions, so as to practically enforce the relying-party's security policy using semweb categorical inferences, rather than use XACML's fixed algorithm.

Peter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080323/bc987234/attachment-0002.htm>

More information about the general mailing list